Requirement text: AU.2.042: Create and retain system audit logs and records to the extent needed to
enable the monitoring, analysis, investigation, and reporting of unlawful or
unauthorized system activity.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
An event is any observable occurrence in a system, which includes unlawful or unauthorized
system activity. Organizations identify event types for which a logging functionality is
needed as those events which are significant and relevant to the security of systems and the
environments in which those systems operate to meet specific and ongoing auditing needs.
Event types can include password changes, failed logons or failed accesses related to
systems, administrative privilege usage, or third-party credential usage. In determining
event types that require logging, organizations consider the monitoring and auditing
appropriate for each of the CUI security requirements. Monitoring and auditing
requirements can be balanced with other system needs. For example, organizations may
determine that systems must have the capability to log every file access both successful and
unsuccessful, but not activate that capability except for specific circumstances due to the
potential burden on system performance.
Audit records can be generated at various levels of abstraction, including at the packet level
as information traverses the network. Selecting the appropriate level of abstraction is a
critical aspect of an audit logging capability and can facilitate the identification of root causes
to problems. Organizations consider in the definition of event types, the logging necessary
to cover related events such as the steps in distributed, transaction-based processes (e.g.,
processes that are distributed across multiple organizations) and actions that occur in
service-oriented or cloud-based architectures.
Audit record content that may be necessary to satisfy this requirement includes time stamps,
source and destination addresses, user or process identifiers, event descriptions, success or
failure indications, filenames involved, and access control or flow control rules invoked.
Event outcomes can include indicators of event success or failure and event-specific results
(e.g., the security state of the system after the event occurred).
Detailed information that organizations may consider in audit records includes full text
recording of privileged commands or the individual identities of group account users.
Organizations consider limiting the additional audit log information to only that information
explicitly needed for specific audit requirements. This facilitates the use of audit trails and
audit logs by not including information that could potentially be misleading or could make it
more difficult to locate information of interest. Audit logs are reviewed and analyzed as often
as needed to provide important information to organizations to facilitate risk-based decision
making. NIST SP 800-92 provides guidance on security log management.
CMMC CLARIFICATION
You should ensure that the system creates and retains audit logs. The logs should contain
enough information to identify and investigate unlawful or unauthorized system activity.
You select the events that require auditing. Also, you determine the information to record in
the audit logs about those events.
Example
You set up audit logging capability for your organization. You determine that all systems
that contain CUI must have extra detail in the audit logs. Because of this, you configure these
systems to log the following information for all user actions:
• time stamps;
• source and destination addresses;
• user or process identifiers;
• event descriptions;
• success or fail indications; and
• filenames.
References
• NIST SP 800-171 Rev 1 3.3.1
• CIS Controls v7.1 6.2
• NIST CSF v1.1. DE.CM-1, DE.CM-3, DE.CM-7
• CERT RMM v1.2 MON:SG2.SP3
• NIST SP 800-53 Rev 4 AU-2, AU-3, AU-3(1), AU-6, AU-11, AU-12